From 0cde3da655ffdfff3b55a1cb5418f6a17c2117a1 Mon Sep 17 00:00:00 2001
From: David Turner <david.turner@elastic.co>
Date: Tue, 14 Sep 2021 09:54:06 +0100
Subject: [PATCH] Note S3 plugin uses JVM-wide truststore (#77676) (#77682)

Today it's not clear how to tell Elasticsearch to trust an S3-compatible
repository that presents a certificate issued by a private or
nonstandard CA. This commit expands the docs to say how.

Supersedes #65034
Relates #77081

Co-authored-by: Joost De Cock <joost@decock.org>

Co-authored-by: Joost De Cock <joost@decock.org>

Co-authored-by: Joost De Cock <joost@decock.org>
---
 docs/plugins/repository-s3.asciidoc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/plugins/repository-s3.asciidoc b/docs/plugins/repository-s3.asciidoc
index d0b6b9960f6be..a893f9c1cdab8 100644
--- a/docs/plugins/repository-s3.asciidoc
+++ b/docs/plugins/repository-s3.asciidoc
@@ -125,7 +125,10 @@ settings belong in the `elasticsearch.yml` file.
 `protocol`::
 
     The protocol to use to connect to S3. Valid values are either `http` or
-    `https`. Defaults to `https`.
+    `https`. Defaults to `https`. When using HTTPS, this plugin validates the
+    repository's certificate chain using the JVM-wide truststore. Ensure that
+    the root certificate authority is in this truststore using the JVM's
+    `keytool` tool.
 
 `proxy.host`::